IETF Logo Mail Archive

Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-rfc4582bis-12

"Charles Eckel (eckelcu)" <eckelcu@cisco.com> Wed, 04 February 2015 18:40 UTC

Return-Path: <eckelcu@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7658F1A1AE3 for <bfcpbis@ietfa.amsl.com>; Wed, 4 Feb 2015 10:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kwqTr8lEbHB6 for <bfcpbis@ietfa.amsl.com>; Wed, 4 Feb 2015 10:40:18 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 573241A1A64 for <bfcpbis@ietf.org>; Wed, 4 Feb 2015 10:40:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=32904; q=dns/txt; s=iport; t=1423075218; x=1424284818; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=ceoy4fD/s9/r/z36seaNrjvxhgB9Sq2KIe0dGe45mC4=; b=fdqoyVogt9v5oaDXXjUxsXh0Uakhpw1YtDhIvKzkitWgi5cyijEB4xPm q59ZyArWR84aXh+kzEpMNVQd1g8wFOoWJiQLryA2zSzV3zMi2LUqr4xk4 inouc6eUC/03GFgEfuKpIwVT72qwq7Wcg7SFvZ6E0e7BEpUWL5RqwoG+7 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BvBQA1Z9JU/5pdJa1agkNDUlkEwj2FcQKBHkMBAQEBAX2EDAEBAQRnASECAQgRAwECFgEKAQYHMhQJCAIEARKILQ3WWQEBAQEBAQQBAQEBAQEBFwSPNjENCwYECAyECwWNHRCBY4NQgVCECYEXgwOCRkmHfYM9IoICHIFQb4EEBxcifgEBAQ
X-IronPort-AV: E=Sophos; i="5.09,519,1418083200"; d="scan'208,217"; a="120563613"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-5.cisco.com with ESMTP; 04 Feb 2015 18:40:17 +0000
Received: from xhc-aln-x06.cisco.com (xhc-aln-x06.cisco.com [173.36.12.80]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t14IeHMY016520 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 4 Feb 2015 18:40:17 GMT
Received: from xmb-aln-x08.cisco.com ([169.254.3.34]) by xhc-aln-x06.cisco.com ([173.36.12.80]) with mapi id 14.03.0195.001; Wed, 4 Feb 2015 12:40:16 -0600
From: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
To: Alissa Cooper <alissa@cooperw.in>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>
Thread-Topic: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-rfc4582bis-12
Thread-Index: AQHQPAleDovxcQJAY0eo+YwSl+sRq5zgum0A
Date: Wed, 04 Feb 2015 18:40:16 +0000
Message-ID: <D0F684B3.3C625%eckelcu@cisco.com>
References: <DB7476B4-3F88-4A8F-804D-130A9907C6D8@cooperw.in>
In-Reply-To: <DB7476B4-3F88-4A8F-804D-130A9907C6D8@cooperw.in>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [10.24.185.183]
Content-Type: multipart/alternative; boundary="_000_D0F684B33C625eckelcuciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/bfcpbis/mwMMPjiyYjZdsdteEVZoMacQNBM>
Subject: Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-rfc4582bis-12
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 18:40:22 -0000

HI Alissa,

Thank you for the review. Please see my thoughts on your comments and questions inline.

From: Alissa Cooper <alissa@cooperw.in<mailto:alissa@cooperw.in>>
Date: Thursday, January 29, 2015 at 10:19 PM
To: "bfcpbis@ietf.org<mailto:bfcpbis@ietf.org>" <bfcpbis@ietf.org<mailto:bfcpbis@ietf.org>>
Subject: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-rfc4582bis-12

I have reviewed this draft in preparation for IETF LC. Overall the document appears in good shape. I have a few questions and comments I’d like to discuss before issuing the IETF last call. I’ve also included some editorial nits that should be addressed together with any last call comments.

Comments and questions:

= Section 5.1 =
"If an endpoint receives a message with an
     unsupported version field value, the receiving server MUST send an
     Error message with parameter value 12 (Unsupported Version) to
     indicate this.”

This seems a little misleading since RFC 4582 didn’t specify what to do upon receipt of a message with a version other than 1. Implementations that do not get upgraded to be compliant with 4582bis (which could certainly account for some of those that will not support version 2) will therefore never send the error specified here. This seems like it should at least be noted given the MUST-level requirement. The same applies in Section 13.7.

Good point. I believe we made this a MUST because we were thinking in terms of implementations compliant with this bis version. Adding your suggested note about rfc 4582 implementations here and in section 13.7 seems useful to me.



= Section 7 =
"BFCP entities MUST support, at a minimum, the
   TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite [6].”

I realize this requirement comes from RFC 4582, but I’d like to understand why it has not been updated to be consistent with more current guidance on cipher suite selection (e.g., https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-08#section-4).

How about we keep this minimum requirement, and add a reference to draft-ietf-uta-tls-bcp along with a recommendation to adhere to the best practices it outlines in section 4?



= Sections 8, 8.1, 8.2 =
It seems like the transaction ID requirements regarding non-reuse/monotonically increasing IDs are re-stated multiple times across these three sections, in slightly different ways, to the point where it’s not clear exactly what they are. It seems like they are:

(1) Reliable transport, server-initiated transaction: ID is 0
(2) Unreliable transport, server-initiated transaction: ID MUST be monotonically increasing (except for wrap-around)
(3) Reliable transport, client-initiated transaction: ID MUST NOT be 0 and MUST NOT be reused in another message from the client until a response from the server is received for the transaction, but need not be monotonically increasing (e.g., a lower, recently used ID could be re-used once a response is received)
(4) Unreliable transport, client-initiated transaction: ID MUST be monotonically increasing (except for wrap-around)

Is (3) the correct interpretation of the text in 8.1? If so, why not just require IDs in all client-initiated transactions to be monotonically increasing?

Agree we can and should simplify this. Sections 8.1 and 8.2 cover the client behavior and server behavior in detail. As such, the transaction ID related information at the start of Section 8 is superfluous. I recommend reducing the text in Section 8 to the follow:

8. Protocol Transactions

   In BFCP, there are two types of transactions: client-initiated
   transactions and server-initiated transactions.

   Client-initiated transactions consist of a request from a client to a
   floor control server and a response from the floor control server to
   the client.

   Server-initiated transactions have different behavior depending on
   underlying transport:

      When using a reliable transport, server-initiated transactions
      consist of a single message from a floor control server to a
      client (notifications).  They do not trigger any response.

      When using an unreliable transport, server-initiated transactions
      consist of a request from a floor control server to a client and a
      response from the client to the floor control server.

   When using BFCP over an unreliable transport, retransmission timer T1
   (see Section 8.3) MUST be used for all requests until the transaction
   is completed.

Then in section 8.1, we add the important details removed from section 8.

8.1.1 Client Behavior

   A client starting a client-initiated transaction MUST set the
   Conference ID in the common header of the message to the Conference
   ID for the conference that the client obtained previously.

   The client MUST set the Transaction ID value in the common header to
   a number that is different from 0 and that MUST NOT be reused in
   another message from the client until a response from the server is
   received for the transaction.  The client uses the Transaction ID
   value to match this message with the response from the floor control
   server. When using BFCP over an unreliable transport, it is important to
   choose a Transaction ID value that lets the receiver distinguish the reception
   of the next message in a sequence of BFCP messages from a retransmission
   of a previous message.  Therefore, BFCP entities using an unreliable transport MUST
   use monotonically increasing Transaction ID values (except for wrap-around).

   A client receiving a server-initiated transaction over an unreliable transport
   MUST copy the Transaction ID from the request received from the server into the
   response.
   [Question: is there a need to copy the Conference ID and User ID, if present?]

8.2. Server Behavior

   A floor control server sending a response within a client-initiated
   transaction MUST copy the Conference ID, the Transaction ID, and the
   User ID from the request received from the client into the response.

   Server-initiated transactions MUST contain a Transaction ID equal to
   0 when BFCP is used over a reliable transport.  Over an unreliable
   transport, the Transaction ID shall have the same properties as for
   client-initiated transactions. The server uses the Transaction ID value to
   match this message with the response from the floor participant or
   floor chair.



= Section 9 (impacts Section 14 as well) =
"BFCP clients SHOULD authenticate the floor control server before
   sending any BFCP message to it or accepting any BFCP message from it.
   Similarly, floor control servers SHOULD authenticate a client before
   accepting any BFCP message from it or sending any BFCP message to it.

   BFCP supports TLS/DTLS mutual authentication between clients and
   floor control servers, as specified in Section 9.1.  This is the
   RECOMMENDED authentication mechanism in BFCP.”

What are the cases where clients and servers do not need to be authenticating each other? I know this requirement and the other SHOULD-level requirements around use of TLS/DTLS are carried over from RFC 4582, but I’m concerned that they aren’t as strong as they should be. For a conference where the signaling traffic is authenticated and confidentiality and integrity protected, why is it ok for the floor control traffic not to be? Could these requirements be adjusted to require use of TLS/DTLS at least in cases where the signaling is also protected?

Yes, but again, this would be at the expense of adding a non backward compatible change from rfc 4582. How about saying TLS/DTLS MUST be used for BFCP in such cases, while pointing out the rfc 4582 based implementations may not comply (similar to what we did with the version field).


= Section 14 =
See the point above about ciphersuites. “Non-null encryption” is not a sufficient minimum baseline, and if the requirements change in Section 7 they should be reflected here as well.

Yep.



Editorial nits to be resolved with LC comments:

= Section 5.1 =
“The version field MUST be set to 1 when using BFCP over a reliable
   transport, i.e. as in [2].”

I find it a little odd to reference the spec you’re obsoleting in this sentence, especially since BFCP over a reliable transport is completely specified in this bis document. I would suggest dropping the i.e. clause.

Good catch. This is a carry over from before this draft was adopted as a bis version of rfc4582.


"The version field MUST be set to 2 when
   using BFCP over an unreliable transport with the extensions specified
   in this document.”

The bit about “with the extensions specified in this document” is extraneous and should be removed.

"If an endpoint receives a message with an
    unsupported version field value, the receiving server MUST send an
    Error message with parameter value 12 (Unsupported Version) to
    indicate this.”

Use of the word “server” here makes it sound as if only servers could receive headers with unsupported versions. Should this be “the receiving endpoint”?

= Section 6.2.4 =
"[23], Section 6.7 provides useful recommendations …”

The links in the references are not quite right.

= Section 8.3.2 =
s/when fires/when fired/

= Section 14 =
s/high-jack/hijack/

= Section B.1 =
"situation where multiple different and non-interoperable would co-
   exist in the market.”

There is a word missing after “non-interoperable."

This should read “non-interoperable implementations”. Earlier in that same sentence, “BFCP over UDP were already used” should read “BFCP over UDP is already being used”.

Cheers,
Charles

v2.23.0 | Report a Bug | By Email